<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
    "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="generator" content="AsciiDoc 8.6.8" />
<link rel="Shortcut Icon" href="/images/favicon.ico" type="image/x-icon" />
<title></title>
<link rel="stylesheet" href="asciidoc.css" tppabs="http://old.peachfuzzer.com/asciidoc.css" type="text/css" />
<link rel="stylesheet" href="website.css" tppabs="http://old.peachfuzzer.com/website.css" type="text/css" />
</head>

<body>

<div id="layout-menu-box">
<div id="layout-menu">
  <div><a href="WhatIsPeach.html" tppabs="http://old.peachfuzzer.com/WhatIsPeach.html">What is Peach</a></div>
  <div><a href="Installation.html" tppabs="http://old.peachfuzzer.com/v3/Installation.html"><b>Installing</b></a></div>
  <div><a href="PeachQuickStart.html" tppabs="http://old.peachfuzzer.com/v3/PeachQuickStart.html"><b>Tutorials</b></a></div>
  <div><a href="Methodology.html" tppabs="http://old.peachfuzzer.com/Methodology.html">Methodology</a></div>
  <div><a href="Introduction.html" tppabs="http://old.peachfuzzer.com/Introduction.html">Introduction</a></div>
  <div><a href="Training.html" tppabs="http://old.peachfuzzer.com/Training.html">Training</a></div>
  <div><a href="javascript:if(confirm(%27http://www.dejavusecurity.com/peach.html  \n\nThis file was not retrieved by Teleport Ultra, because it is addressed on a domain or path outside the boundaries set for its Starting Address.  \n\nDo you want to open it from the server?%27))window.location=%27http://www.dejavusecurity.com/peach.html%27" tppabs="http://www.dejavusecurity.com/peach.html">Enterprise</a></div>
  <div><a href="FAQ.html" tppabs="http://old.peachfuzzer.com/v3/FAQ.html">FAQ</a></div>
  <div><a href="javascript:if(confirm(%27http://forums.peachfuzzer.com/forum.php  \n\nThis file was not retrieved by Teleport Ultra, because it is addressed on a domain or path outside the boundaries set for its Starting Address.  \n\nDo you want to open it from the server?%27))window.location=%27http://forums.peachfuzzer.com/forum.php%27" tppabs="http://forums.peachfuzzer.com/forum.php">Support Forums</a></div>

  <div><h5>Peach 3</h5></div>
  <div><img src="1.gif" tppabs="http://old.peachfuzzer.com/images/1.gif" /><a href="PeachPit.html" tppabs="http://old.peachfuzzer.com/v3/PeachPit.html">Peach Pits</a></div>
  <div>&nbsp;<img src="1.gif" tppabs="http://old.peachfuzzer.com/images/1.gif" /><a href="GeneralConfiguration.html" tppabs="http://old.peachfuzzer.com/v3/GeneralConfiguration.html">General Conf</a></div>
  <div>&nbsp;<img src="1.gif" tppabs="http://old.peachfuzzer.com/images/1.gif" /><a href="DataModeling.html" tppabs="http://old.peachfuzzer.com/v3/DataModeling.html">Data Modeling</a></div>
  <div>&nbsp;<img src="1.gif" tppabs="http://old.peachfuzzer.com/images/1.gif" /><a href="StateModel.html" tppabs="http://old.peachfuzzer.com/v3/StateModel.html">State Modeling</a></div>
  <div>&nbsp;<img src="1.gif" tppabs="http://old.peachfuzzer.com/images/1.gif" /><a href="AgentsMonitors.html" tppabs="http://old.peachfuzzer.com/v3/AgentsMonitors.html">Agents</a></div>
  <div>&nbsp;&nbsp;<img src="1.gif" tppabs="http://old.peachfuzzer.com/images/1.gif" /><img src="1.gif" tppabs="http://old.peachfuzzer.com/images/1.gif" /><a href="AgentsMonitors.html" tppabs="http://old.peachfuzzer.com/v3/AgentsMonitors.html">Monitors</a></div>
  <div>&nbsp;<img src="1.gif" tppabs="http://old.peachfuzzer.com/images/1.gif" /><a href="TestConfig.html" tppabs="http://old.peachfuzzer.com/v3/TestConfig.html">Test</a></div>
        <div>&nbsp;&nbsp;<img src="1.gif" tppabs="http://old.peachfuzzer.com/images/1.gif" /><img src="1.gif" tppabs="http://old.peachfuzzer.com/images/1.gif" /><a href="Publisher.html" tppabs="http://old.peachfuzzer.com/v3/Publisher.html">Publishers</a></div>
  <div>&nbsp;&nbsp;<img src="1.gif" tppabs="http://old.peachfuzzer.com/images/1.gif" /><img src="1.gif" tppabs="http://old.peachfuzzer.com/images/1.gif" /><a href="Logger.html" tppabs="http://old.peachfuzzer.com/v3/Logger.html">Loggers</a></div>
  <!-- <div>&nbsp;<img src="/images/1.gif" /><a href="/v3/DebuggingPitFiles.html">Debugging Pits</a></div> -->
  <!-- <div>&nbsp;<img src="/images/1.gif" /><a href="/v3/ValidatingPitFiles.html">Validating Pits</a></div> -->
  <div><img src="1.gif" tppabs="http://old.peachfuzzer.com/images/1.gif" /><a href="RunningPeach.html" tppabs="http://old.peachfuzzer.com/v3/RunningPeach.html">Running</a></div>
  <!-- <div><img src="/images/1.gif" /><a href="/v3/ParallelPeach.html">Parallel</a></div> -->
  <!-- <div><img src="/images/1.gif" /><a href="/v3/ExtendingPeach.html">Extending</a></div> -->
  <div><img src="1.gif" tppabs="http://old.peachfuzzer.com/images/1.gif" /><a href="minset.html" tppabs="http://old.peachfuzzer.com/v3/minset.html">Minset</a></div>

  <div><h5><a href="peach23.html" tppabs="http://old.peachfuzzer.com/v2/peach23.html">Peach 2.3</a></h5></div>

  <div><hr/></div>

  <div><a href="License.html" tppabs="http://old.peachfuzzer.com/License.html">License</a></div>
</div>
</div>
<div id="layout-content-box">
<div id="layout-banner">
  <div id="layout-title">
    <a href="index.htm" tppabs="http://old.peachfuzzer.com/"><img src="peach_fuzzer.png" tppabs="http://old.peachfuzzer.com/images/peach_fuzzer.png" height="100" /></a>
    <a href="javascript:if(confirm(%27http://www.dejavusecurity.com/peach.html  \n\nThis file was not retrieved by Teleport Ultra, because it is addressed on a domain or path outside the boundaries set for its Starting Address.  \n\nDo you want to open it from the server?%27))window.location=%27http://www.dejavusecurity.com/peach.html%27" tppabs="http://www.dejavusecurity.com/peach.html" class="layout-inner-banner-right">
                <img height="50" src="dejavusecurity.png" tppabs="http://old.peachfuzzer.com/images/dejavusecurity.png" /></a>
  </div>

  <div id="layout-description">
  <script>
  (function() {
    var cx = '007028538774543840348:g-0dlrdlmxs';
    var gcse = document.createElement('script'); gcse.type = 'text/javascript'; gcse.async = true;
    gcse.src = (document.location.protocol == 'https:' ? 'https:' : 'http:') +
        '//www.google.com/cse/cse.js?cx=' + cx;
    var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(gcse, s);
  })();
</script>
<gcse:search></gcse:search>
      </div>
</div>
<div id="layout-content">
<div id="content">
<div class="sect1">
<h2 id="_fuzzer_development_methodology">Fuzzer Development Methodology</h2>
<div class="sectionbody">
<div class="paragraph"><p>Here is the super quick development methodology I use for creating fuzzers.  In the case of network protocols Wireshark is substituted for 010 Hex Editor typically.</p></div>
</div>
</div>
<div class="sect1">
<h2 id="_the_tools">The Tools</h2>
<div class="sectionbody">
<div class="paragraph"><p><strong>XML Editor</strong></p></div>
<div class="ulist"><ul>
<li>
<p>
Visual Studio (Express editions are free)
</p>
</li>
<li>
<p>
oXygen XML Editor ($$)
</p>
</li>
</ul></div>
<div class="paragraph"><p><strong>010 Hex Editor</strong></p></div>
<div class="paragraph"><p>Best hex editor around.  Chosen for the ease of creating templates.</p></div>
</div>
</div>
<div class="sect1">
<h2 id="_the_process">The Process</h2>
<div class="sectionbody">
<div class="sect2">
<h3 id="_locate_specification_or_parser_code">Locate specification or parser code</h3>
<div class="paragraph"><p>The first step is to locate a complete specification of the target format or protocol.  Additionally it is suggested that the parser logic be reviewed to see if there are any deviations from the specifications.  For example, some FTP implementations have custom FTP commands that are not in the RFC.  Additionally, you might find hints on additional mutations that could be done to better test the protocol.</p></div>
</div>
<div class="sect2">
<h3 id="_010_editor_wireshark">010 Editor/Wireshark</h3>
<div class="paragraph"><p>This next step is optional, but I&#8217;ve found it extremely useful when creating pit files for semi complex formats.  Creating an 010 Template or a Wireshark parser will allow you to explore sample formats or the protocol to help build and debug the pit file.</p></div>
<div class="paragraph"><p>There is a repository of 010 Templates located at <a href="javascript:if(confirm(%27http://www.sweetscape.com/010editor/templates/  \n\nThis file was not retrieved by Teleport Ultra, because it is addressed on a domain or path outside the boundaries set for its Starting Address.  \n\nDo you want to open it from the server?%27))window.location=%27http://www.sweetscape.com/010editor/templates/%27" tppabs="http://www.sweetscape.com/010editor/templates/">http://www.sweetscape.com/010editor/templates/</a>, check here first for common formats.</p></div>
</div>
<div class="sect2">
<h3 id="_write_and_debug_the_peach_pit">Write and Debug the Peach Pit</h3>
<div class="paragraph"><p>Create the Pit file based on the specifications, parsing logic, and the 010 Editor/Wireshark parsing of the samples. Your goal at this point is to configure your Pit so the first iteration of fuzzing (when no mutators are applied) will interact with your target as if it was talking to a valid application.  In the case of a network fuzzer this would mean sending valid messages and completing a valid protocol handshakes.  In the case of a file format fuzzer this would mean producing a new file that is identical to the sample file used as input.</p></div>
<div class="paragraph"><p>Our tutorials offer a great introduction into building Pits from scratch. They can be located <a href="PeachQuickStart.html" tppabs="http://old.peachfuzzer.com/v3/PeachQuickStart.html">here.</a></p></div>
<div class="paragraph"><p>One of the most difficult and important tasks of building the pit file is debugging it to verify it works as intended.  Peach has various tools/methods that will assist in debugging and validating the pit files.</p></div>
<div class="sect3">
<h4 id="_parse_testing">Parse Testing</h4>
<div class="paragraph"><p>The first tool at your disposal will verify if the Peach Pit file parses correctly.  Getting the pit file to parse properly is the first and possibly easier step of debugging and validating your fuzzer.</p></div>
<div class="paragraph"><p>To test the pit file simply run the command line tool with the <code>-t</code> argument as shown below the output will indicate success or failure and provide information on how to resolve any issues.</p></div>
<div class="listingblock">
<div class="content">
<pre><code>peach.exe -t mypit.xml</code></pre>
</div></div>
</div>
<div class="sect3">
<h4 id="_peach_validator">Peach Validator</h4>
<div class="paragraph"><p>The next tool is the graphical Peach Validator, this program will allow you to load a pit file, select a DataModel and load sample data into the DataModel.  It will allow you to explore the resulting DataModel, the default values its elements contain, and the locations that it read from.</p></div>
<div class="paragraph"><p>You can run the tool as follows:</p></div>
<div class="listingblock">
<div class="content">
<pre><code>PeachValidator.exe</code></pre>
</div></div>
</div>
<div class="sect3">
<h4 id="_peach_debug_output">Peach Debug Output</h4>
<div class="paragraph"><p>If unable to debug your pit file using the prior tools the last option is to review the debug output from Peach as it parses the pit file and data.  This information is verbose and sometimes cryptic in nature as it was origionally intended for the author to debug the Peach internals.</p></div>
<div class="paragraph"><p><strong>TODO: Provide examples an explanation on reading output</strong></p></div>
<div class="listingblock">
<div class="content">
<pre><code>peach.exe --debug mypit.xml</code></pre>
</div></div>
</div>
<div class="sect3">
<h4 id="_peach_single_iteration">Peach Single Iteration</h4>
<div class="paragraph"><p>If everything up to this point has seemed valid, run Peach with a -1 command line option to run a single iteration without any fuzzing of the data.</p></div>
<div class="listingblock">
<div class="content">
<pre><code>peach.exe -1 mypit.xml</code></pre>
</div></div>
<div class="paragraph"><p>In the case of a file fuzzer a new file should be produced that is identical to the sample file.  Verify this with 010 editor using its compare feature.</p></div>
<div class="paragraph"><p>If your pit communicates over a network observe the traffic with wireshark and confirm that the communication between the fuzzer and your target matches your previous captures.</p></div>
</div>
</div>
<div class="sect2">
<h3 id="_configure_agents_and_monitors_for_target">Configure agents and monitors for target</h3>
<div class="paragraph"><p>A fundamental piece of fuzzing is the ability to detect when your fuzzer has caused something interesting to occur.  At this point the fuzzer should gather as much relevant information about the iteration as it can and reset the target to a healthy state for more fuzzing.</p></div>
<div class="paragraph"><p>Once you are confident that your fuzzer is producing valid data include <a href="AgentsMonitors.html" tppabs="http://old.peachfuzzer.com/v3/AgentsMonitors.html">Agents and Monitors</a> that will assist in the automation of your fuzzing and fault detection.</p></div>
</div>
<div class="sect2">
<h3 id="_commence_fuzzing">Commence fuzzing!</h3>
<div class="paragraph"><p>Finally you are all set to run the fuzzer and collect bugs!</p></div>
</div>
</div>
</div>
</div>
<div id="footnotes"></div>
<div id="footer">
<div id="footer-text">

<table width="100%">
<td><td>
<a href="javascript:if(confirm(%27http://dejavusecurity.com/  \n\nThis file was not retrieved by Teleport Ultra, because it is addressed on a domain or path outside the boundaries set for its Starting Address.  \n\nDo you want to open it from the server?%27))window.location=%27http://dejavusecurity.com/%27" tppabs="http://dejavusecurity.com/"><img src="dejavusecurity.png" tppabs="http://old.peachfuzzer.com/images/dejavusecurity.png" height="50"/></a>
</td><td>&nbsp;&nbsp;&nbsp;</td><td>

Copyright (c) <a href="javascript:if(confirm(%27http://dejavusecurity.com/  \n\nThis file was not retrieved by Teleport Ultra, because it is addressed on a domain or path outside the boundaries set for its Starting Address.  \n\nDo you want to open it from the server?%27))window.location=%27http://dejavusecurity.com/%27" tppabs="http://dejavusecurity.com/">Deja vu Security</a> <br/>
Last updated 2014-02-23 21:24:21 PST
</td>
</table>

<script type="text/javascript">

  var _gaq = _gaq || [];
  _gaq.push(['_setAccount', 'UA-1094513-10']);
  _gaq.push(['_trackPageview']);

  (function() {
    var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
    ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www/') + '.google-analytics.com/ga.js';
    var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
  })();

</script>
</div>
</div>
</div>
</div>
</body>
</html>
